CVE-2023-37261
CVE-2023-37261
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- Low
- User Interaction
- None
- Scope
- Changed
- Confidentiality
- High
- Integrity
- High
- Availability
- None
Description
OpenComputers is a Minecraft mod that adds programmable computers and robots to the game. This issue affects every version of OpenComputers with the Internet Card feature enabled; that is, OpenComputers 1.2.0 until 1.8.3 in their most common, default configurations. If the OpenComputers mod is installed as part of a Minecraft server hosted on a popular cloud hosting provider, such as AWS, GCP and Azure, those metadata services' API endpoints are not forbidden (aka "blacklisted") by default. As such, any player can gain access to sensitive information exposed via those metadata servers, potentially allowing them to pivot or privilege escalate into the hosting provider. In addition, IPv6 addresses are not correctly filtered at all, allowing broader access into the local IPv6 network. This can allow a player on a server using an OpenComputers computer to access parts of the private IPv4 address space, as well as the whole IPv6 address space, in order to retrieve sensitive information. OpenComputers v1.8.3 for Minecraft 1.7.10 and 1.12.2 contains a patch for this issue. Some workarounds are also available. One may disable the Internet Card feature completely. If using OpenComputers 1.3.0 or above, using the allow list (`opencomputers.internet.whitelist` option) will prohibit connections to any IP addresses and/or domains not listed; or one may add entries to the block list (`opencomputers.internet.blacklist` option). More information about mitigations is available in the GitHub Security Advisory.
Comprehensive Technical Analysis of CVE-2023-37261 (OpenComputers Internet Card Vulnerability)
1. Vulnerability Assessment and Severity Evaluation
CVE ID: CVE-2023-37261 CVSS Score: 9.6 (Critical) – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N Vector Breakdown:
- Attack Vector (AV:N): Network-based exploitation (remote attack surface).
- Attack Complexity (AC:L): Low – No specialized conditions required.
- Privileges Required (PR:N): None – Unauthenticated exploitation.
- User Interaction (UI:N): None – No user action needed.
- Scope (S:C): Changed – Impacts beyond the vulnerable component (cloud metadata services).
- Confidentiality (C:H): High – Sensitive cloud metadata exposure.
- Integrity (I:H): High – Potential for privilege escalation.
- Availability (A:N): None – No direct impact on availability.
Severity Justification
The vulnerability is critical due to:
- Unauthenticated remote exploitation via Minecraft game clients.
- High-impact information disclosure (cloud metadata, internal network reconnaissance).
- Privilege escalation potential (cloud provider credentials, internal network pivoting).
- Broad attack surface (default configurations, IPv6 exposure).
2. Potential Attack Vectors and Exploitation Methods
Primary Exploitation Path
-
Cloud Metadata Service Access (AWS/GCP/Azure)
- OpenComputers’ Internet Card allows HTTP requests to arbitrary IPs/domains by default.
- Cloud metadata endpoints (e.g.,
169.254.169.254for AWS,169.254.169.254for GCP,169.254.169.254for Azure) are not blacklisted in default configurations. - An attacker can query these endpoints to retrieve:
- Temporary credentials (IAM roles, service account tokens).
- Instance metadata (network configuration, user data scripts).
- SSH keys, API keys, and other secrets injected via cloud-init.
-
IPv4/IPv6 Network Reconnaissance
- IPv4: The mod does not properly filter private/reserved address ranges (RFC 1918, RFC 5735), allowing access to:
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16(internal networks).169.254.0.0/16(link-local, including cloud metadata).
- IPv6: No filtering at all, enabling access to:
fc00::/7(Unique Local Addresses – ULA).fe80::/10(Link-Local).- Entire IPv6 address space (potential for internal network scanning).
- IPv4: The mod does not properly filter private/reserved address ranges (RFC 1918, RFC 5735), allowing access to:
-
Exploitation Steps
- Step 1: A player joins a Minecraft server with OpenComputers installed.
- Step 2: The player crafts an OpenComputers computer with an Internet Card.
- Step 3: The player executes Lua code to send HTTP requests to:
- Cloud metadata endpoints (e.g.,
http://169.254.169.254/latest/meta-data/iam/security-credentials/). - Internal IPv4/IPv6 addresses (e.g.,
http://[fe80::1]for link-local services).
- Cloud metadata endpoints (e.g.,
- Step 4: Retrieved credentials/secrets are exfiltrated (e.g., via in-game chat, external HTTP POST).
- Step 5: Attacker uses stolen credentials to:
- Pivot into cloud environments (AWS/GCP/Azure).
- Escalate privileges (e.g., assume IAM roles).
- Move laterally within the internal network.
Secondary Attack Vectors
- DNS Rebinding Attacks: If the server allows DNS resolution, an attacker could use a malicious domain to bypass IP-based restrictions.
- SSRF (Server-Side Request Forgery) Chaining: If the Minecraft server has other vulnerable services, this could lead to full server compromise.
- Container Escape: If the Minecraft server runs in a container (e.g., Docker, Kubernetes), metadata access could lead to host compromise.
3. Affected Systems and Software Versions
Vulnerable Versions
- OpenComputers 1.2.0 – 1.8.2 (all versions with Internet Card enabled).
- Minecraft Versions: 1.7.10, 1.12.2 (most commonly affected).
- Default Configurations: The vulnerability is present out-of-the-box unless explicitly mitigated.
Affected Environments
- Minecraft Servers hosted on:
- Cloud Providers (AWS, GCP, Azure, DigitalOcean, etc.) – Highest risk due to metadata exposure.
- On-Premises/Private Networks – Risk of internal network reconnaissance.
- Modpacks Including OpenComputers (e.g., FTB, Technic, ATLauncher).
Not Affected
- OpenComputers 1.8.3+ (patched version).
- Servers with Internet Card disabled.
- Servers with proper IP/domain allowlisting/blocklisting.
4. Recommended Mitigation Strategies
Immediate Actions (For Server Administrators)
| Mitigation | Implementation | Effectiveness |
|---|---|---|
| Upgrade to OpenComputers 1.8.3+ | Apply the latest patch from GitHub Releases. | High – Fixes the core issue. |
| Disable Internet Card | Remove or disable the Internet Card component in config/opencomputers/main.conf. | High – Eliminates the attack surface. |
| Enable IP/Domain Allowlisting | Set opencomputers.internet.whitelist in config/opencomputers/main.conf to only allow trusted IPs/domains. | Medium-High – Restricts access but requires maintenance. |
| Enable IP/Domain Blocklisting | Add cloud metadata IPs (169.254.169.254, fd00::/8, etc.) to opencomputers.internet.blacklist. | Medium – Partial mitigation; may miss edge cases. |
| Network-Level Restrictions | Use firewall rules (e.g., iptables/nftables) to block outbound traffic to metadata endpoints. | High – Prevents exploitation even if the mod is misconfigured. |
| Isolate Minecraft Server | Run the server in a dedicated VLAN/namespace with no access to internal networks. | High – Limits lateral movement. |
Long-Term Recommendations
- Monitor for Exploitation Attempts:
- Log all HTTP requests from OpenComputers (if possible).
- Alert on attempts to access
169.254.169.254, private IPs, or IPv6 link-local addresses.
- Audit Cloud Metadata Permissions:
- Restrict IAM roles to least privilege.
- Disable IMDSv1 (use IMDSv2 with session tokens).
- Segment Minecraft Servers:
- Use microsegmentation (e.g., Kubernetes Network Policies, AWS Security Groups) to limit egress traffic.
- Educate Server Operators:
- Warn about the risks of modded Minecraft servers in cloud environments.
5. Impact on the Cybersecurity Landscape
Broader Implications
-
Cloud Security Risks
- Highlights misconfigurations in cloud metadata services (a recurring issue in cloud breaches).
- Demonstrates how gaming mods can introduce enterprise-grade risks in cloud environments.
-
Supply Chain & Third-Party Risks
- OpenComputers is a popular mod (~10M+ downloads), meaning many servers are likely vulnerable.
- Modpacks (e.g., FTB, Technic) may bundle vulnerable versions, increasing exposure.
-
IPv6 Security Gaps
- Many organizations neglect IPv6 security, and this vulnerability exploits that oversight.
- Could lead to unexpected internal network exposure via IPv6.
-
Gaming as an Attack Vector
- Minecraft servers are increasingly targeted for:
- Cryptojacking (via mods like this).
- Credential theft (cloud metadata, internal services).
- Lateral movement into corporate networks.
- Minecraft servers are increasingly targeted for:
Historical Context
- Similar vulnerabilities have been exploited in the past:
- CVE-2019-5736 (Docker escape via metadata).
- Capital One Breach (2019) – SSRF to AWS metadata.
- Recent Minecraft mod exploits (e.g., Log4Shell in modded servers).
6. Technical Details for Security Professionals
Root Cause Analysis
The vulnerability stems from insufficient input validation in OpenComputers’ Internet Card component:
-
No Default Blacklisting of Sensitive IPs
- The mod does not block cloud metadata endpoints (
169.254.169.254) or private IP ranges by default. - IPv6 filtering is entirely missing, allowing unrestricted access.
- The mod does not block cloud metadata endpoints (
-
Lua HTTP Request Handling
- The Internet Card allows arbitrary HTTP requests via Lua scripts:
local internet = require("internet") local response = internet.request("http://169.254.169.254/latest/meta-data/iam/security-credentials/") - No sandboxing or rate-limiting is applied.
- The Internet Card allows arbitrary HTTP requests via Lua scripts:
-
Configuration Overrides Not Enforced
- While
whitelist/blacklistoptions exist, they are not enabled by default, leaving servers exposed.
- While
Patch Analysis (OpenComputers 1.8.3)
The fix introduces:
- Default Blacklisting of Cloud Metadata IPs
- Blocks
169.254.169.254(AWS/GCP/Azure) and similar endpoints.
- Blocks
- IPv6 Filtering
- Now blocks link-local (
fe80::/10) and unique local (fc00::/7) addresses.
- Now blocks link-local (
- Stricter Private IPv4 Filtering
- Properly blocks
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16, and169.254.0.0/16.
- Properly blocks
Exploitation Proof of Concept (PoC)
A simple Lua script to exfiltrate AWS credentials:
local internet = require("internet")
local component = require("component")
local event = require("event")
-- Query AWS metadata for IAM credentials
local url = "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
local response = internet.request(url)
local result = ""
for chunk in response do
result = result .. chunk
end
-- Exfiltrate via in-game chat (or external HTTP POST)
component.chat_box.say("AWS Credentials: " .. result)
Detection & Forensics
- Network-Level Indicators:
- Outbound HTTP requests to
169.254.169.254. - Unusual IPv6 traffic (e.g.,
fe80::,fc00::).
- Outbound HTTP requests to
- Log Analysis:
- Minecraft server logs showing Lua script execution with
internet.request. - Cloud provider logs showing unexpected metadata API access.
- Minecraft server logs showing Lua script execution with
- Memory Forensics:
- Check for Lua scripts in OpenComputers’ computer memory.
Advanced Mitigation Techniques
- eBPF-Based Filtering:
- Use eBPF/XDP to block metadata endpoint access at the kernel level.
- Network Microsegmentation:
- Isolate Minecraft servers in a zero-trust network segment.
- Runtime Application Self-Protection (RASP):
- Deploy RASP solutions to monitor and block malicious Lua execution.
Conclusion
CVE-2023-37261 is a critical vulnerability with far-reaching implications for cloud security, particularly in gaming environments. The combination of unauthenticated remote access, cloud metadata exposure, and IPv6 misconfigurations makes it a high-risk issue that requires immediate patching and network-level controls.
Key Takeaways for Security Teams: ✅ Patch immediately to OpenComputers 1.8.3+. ✅ Disable Internet Card if not needed. ✅ Block metadata endpoints at the network level. ✅ Monitor for exploitation attempts (metadata API calls, IPv6 scans). ✅ Educate Minecraft server operators on cloud security risks.
This vulnerability serves as a reminder that gaming mods can introduce enterprise-level risks, and organizations should treat modded Minecraft servers with the same security rigor as production systems.